CVE-2026-43568
Undergoing Analysis Undergoing Analysis - In Progress
Privilege Escalation in OpenClaw via Dreaming Endpoint

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: VulnCheck

Description
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43568
EUVD
EUVD-2026-27287
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.4.5 (inc) to 2026.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43568 is a privilege escalation vulnerability in OpenClaw versions 2026.4.5 through 2026.4.9. It allows attackers who have write-scoped gateway access to modify persistent memory dreaming settings via the /dreaming endpoint, which should only be accessible to admin-level users.

The vulnerability arises because the system does not properly check if the user has admin privileges before allowing changes to the dreaming configuration. This improper authorization allows attackers to toggle admin-class configuration mutations, effectively escalating their privileges.

The issue was fixed in version 2026.4.10 by adding checks that require admin scope to mutate dreaming settings and normalizing missing scopes to prevent silent privilege escalation.

Impact Analysis

This vulnerability can allow an attacker with write-scoped gateway access to escalate their privileges to admin level by modifying persistent memory dreaming settings through the /dreaming endpoint.

As a result, the attacker could make unauthorized configuration changes that are normally restricted to administrators, potentially compromising the security and integrity of the system.

Detection Guidance

This vulnerability involves unauthorized modification of persistent memory dreaming settings via the /dreaming endpoint by write-scoped operators. Detection can focus on monitoring access and changes to this endpoint.

You can detect potential exploitation by checking logs or network traffic for requests to the /dreaming endpoint that attempt to toggle dreaming settings without admin privileges.

Suggested commands include inspecting gateway client scopes and monitoring commands sent to the /dreaming endpoint. For example, reviewing logs for commands like `/dreaming on` or `/dreaming off` issued by non-admin scoped clients.

Since the vulnerability is related to improper authorization, you may also audit the scopes assigned to gateway clients to identify any write-scoped operators attempting admin-class configuration mutations.

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.4.10 or later, as this version contains the patch that fixes the privilege escalation vulnerability.

The patch enforces proper authorization by requiring admin privileges to mutate dreaming settings via the /dreaming endpoint, preventing write-scoped operators from making unauthorized changes.

Additionally, review and restrict gateway client scopes to ensure that only trusted users have admin-level access, minimizing the risk of exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart